webhook: add conversion webhook for cephconnection

Signed-off-by: Niraj Yadav <niryadav@redhat.com>

Author: black-dragon74

PROJECT

@@ -60,4 +60,9 @@ resources:
   kind: CephConnection
   path: github.com/ceph/ceph-csi-operator/api/csi/v1beta1
   version: v1beta1
+  webhooks:
+    conversion: true
+    spoke:
+    - v1alpha1
+    webhookVersion: v1
 version: "3"

api/csi/v1alpha1/cephconnection_conversion.go

@@ -0,0 +1,65 @@
+/*
+Copyright 2024.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"errors"
+	"log"
+
+	"sigs.k8s.io/controller-runtime/pkg/conversion"
+
+	csiv1beta1 "github.com/ceph/ceph-csi-operator/api/csi/v1beta1"
+)
+
+// ConvertTo converts this CephConnection (v1alpha1) to the Hub version (v1beta1).
+func (src *CephConnection) ConvertTo(dstRaw conversion.Hub) error {
+	dst, ok := dstRaw.(*csiv1beta1.CephConnection)
+	if !ok {
+		return errors.New("convertto: failed to cast to v1beta1 CephConnection")
+	}
+
+	log.Printf("ConvertTo: Converting CephConnection from Spoke version v1alpha1 to Hub version v1beta1;"+
+		"source: %s/%s, target: %s/%s", src.Namespace, src.Name, dst.Namespace, dst.Name)
+
+	dst.ObjectMeta = src.ObjectMeta
+
+	dst.Spec.Monitors = src.Spec.Monitors
+	dst.Spec.RbdMirrorDaemonCount = src.Spec.RbdMirrorDaemonCount
+	dst.Spec.ReadAffinity = (*csiv1beta1.ReadAffinitySpec)(src.Spec.ReadAffinity)
+
+	return nil
+}
+
+// ConvertFrom converts the Hub version (v1beta1) to this CephConnection (v1alpha1).
+func (dst *CephConnection) ConvertFrom(srcRaw conversion.Hub) error {
+	src, ok := srcRaw.(*csiv1beta1.CephConnection)
+	if !ok {
+		return errors.New("convertfrom: failed to cast to v1beta1 CephConnection")
+
+	}
+
+	log.Printf("ConvertFrom: Converting CephConnection from Hub version v1beta1 to Spoke version v1alpha1;"+
+		"source: %s/%s, target: %s/%s", src.Namespace, src.Name, dst.Namespace, dst.Name)
+
+	dst.ObjectMeta = src.ObjectMeta
+
+	dst.Spec.Monitors = src.Spec.Monitors
+	dst.Spec.RbdMirrorDaemonCount = src.Spec.RbdMirrorDaemonCount
+	dst.Spec.ReadAffinity = (*ReadAffinitySpec)(src.Spec.ReadAffinity)
+
+	return nil
+}

api/csi/v1beta1/cephconnection_conversion.go

@@ -0,0 +1,22 @@
+/*
+Copyright 2024.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+
+// Hub marks this type as a conversion hub.
+func (*CephConnection) Hub() {}

api/csi/v1beta1/cephconnection_types.go

@@ -46,6 +46,7 @@ type CephConnectionStatus struct {
 }
 
 // +kubebuilder:object:root=true
+// +kubebuilder:conversion:hub
 // +kubebuilder:storageversion
 // +kubebuilder:subresource:status
 

api/go.mod

@@ -5,6 +5,7 @@ go 1.23.0
 require (
 	k8s.io/api v0.32.1
 	k8s.io/apimachinery v0.32.1
+	sigs.k8s.io/controller-runtime v0.20.3
 )
 
 require (

api/go.sum

@@ -87,6 +87,8 @@ k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
 k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/controller-runtime v0.20.3 h1:I6Ln8JfQjHH7JbtCD2HCYHoIzajoRxPNuvhvcDbZgkI=
+sigs.k8s.io/controller-runtime v0.20.3/go.mod h1:xg2XB0K5ShQzAgsoujxuKN4LNXR2LfwwHsPj7Iaw+XY=
 sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
 sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.2 h1:MdmvkGuXi/8io6ixD5wud3vOLwc1rj0aNqRlpuvjmwA=

cmd/main.go

@@ -38,11 +38,13 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	csiv1alpha1 "github.com/ceph/ceph-csi-operator/api/csi/v1alpha1"
 	csiv1beta1 "github.com/ceph/ceph-csi-operator/api/csi/v1beta1"
 	controller "github.com/ceph/ceph-csi-operator/internal/controller/csi"
 	"github.com/ceph/ceph-csi-operator/internal/utils"
+	webhookcsiv1beta1 "github.com/ceph/ceph-csi-operator/internal/webhook/csi/v1beta1"
 	//+kubebuilder:scaffold:imports
 )
 
@@ -62,6 +64,7 @@ func init() {
 func main() {
 	var metricsAddr string
 	var metricsCertPath, metricsCertName, metricsCertKey string
+	var webhookCertPath, webhookCertName, webhookCertKey string
 	var enableLeaderElection bool
 	var enableHTTP2 bool
 	var probeAddr string
@@ -79,6 +82,9 @@ func main() {
 		"The directory that contains the metrics server certificate.")
 	flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", "The name of the metrics server certificate file.")
 	flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", "The name of the metrics server key file.")
+	flag.StringVar(&webhookCertPath, "webhook-cert-path", "", "The directory that contains the webhook certificate.")
+	flag.StringVar(&webhookCertName, "webhook-cert-name", "tls.crt", "The name of the webhook certificate file.")
+	flag.StringVar(&webhookCertKey, "webhook-cert-key", "tls.key", "The name of the webhook key file.")
 	flag.BoolVar(&enableHTTP2, "enable-http2", false,
 		"If set, HTTP/2 will be enabled for the metrics")
 
@@ -104,7 +110,34 @@ func main() {
 		tlsOpts = append(tlsOpts, disableHTTP2)
 	}
 	// Create watchers for metrics certificates
-	var metricsCertWatcher *certwatcher.CertWatcher
+	var metricsCertWatcher, webhookCertWatcher *certwatcher.CertWatcher
+
+	// Initial webhook TLS options
+	webhookTLSOpts := tlsOpts
+
+	if len(webhookCertPath) > 0 {
+		setupLog.Info("Initializing webhook certificate watcher using provided certificates",
+			"webhook-cert-path", webhookCertPath, "webhook-cert-name", webhookCertName, "webhook-cert-key", webhookCertKey)
+
+		var err error
+		webhookCertWatcher, err = certwatcher.New(
+			filepath.Join(webhookCertPath, webhookCertName),
+			filepath.Join(webhookCertPath, webhookCertKey),
+		)
+		if err != nil {
+			setupLog.Error(err, "Failed to initialize webhook certificate watcher")
+			os.Exit(1)
+		}
+
+		webhookTLSOpts = append(webhookTLSOpts, func(config *tls.Config) {
+			config.GetCertificate = webhookCertWatcher.GetCertificate
+		})
+	}
+
+	webhookServer := webhook.NewServer(webhook.Options{
+		TLSOpts: webhookTLSOpts,
+	})
+
 	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
 	// More info:
 	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.20.0/pkg/metrics/server
@@ -169,6 +202,7 @@ func main() {
 	}
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:                 scheme,
+		WebhookServer:          webhookServer,
 		Metrics:                metricsServerOptions,
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
@@ -212,6 +246,13 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "ClientProfileMapping")
 		os.Exit(1)
 	}
+	// nolint:goconst
+	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
+		if err = webhookcsiv1beta1.SetupCephConnectionWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, "unable to create webhook", "webhook", "CephConnection")
+			os.Exit(1)
+		}
+	}
 	//+kubebuilder:scaffold:builder
 
 	if metricsCertWatcher != nil {
@@ -222,6 +263,14 @@ func main() {
 		}
 	}
 
+	if webhookCertWatcher != nil {
+		setupLog.Info("Adding webhook certificate watcher to manager")
+		if err := mgr.Add(webhookCertWatcher); err != nil {
+			setupLog.Error(err, "unable to add webhook certificate watcher to manager")
+			os.Exit(1)
+		}
+	}
+
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
 		setupLog.Error(err, "unable to set up health check")
 		os.Exit(1)

config/certmanager/certificate-metrics.yaml

@@ -0,0 +1,20 @@
+# The following manifests contain a self-signed issuer CR and a metrics certificate CR.
+# More document can be found at https://docs.cert-manager.io
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    app.kubernetes.io/name: ceph-csi-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: metrics-certs  # this name should match the one appeared in kustomizeconfig.yaml
+  namespace: system
+spec:
+  dnsNames:
+  # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize
+  # replacements in the config/default/kustomization.yaml file.
+  - SERVICE_NAME.SERVICE_NAMESPACE.svc
+  - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: metrics-server-cert

config/certmanager/certificate-webhook.yaml

@@ -0,0 +1,20 @@
+# The following manifests contain a self-signed issuer CR and a certificate CR.
+# More document can be found at https://docs.cert-manager.io
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    app.kubernetes.io/name: ceph-csi-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: serving-cert  # this name should match the one appeared in kustomizeconfig.yaml
+  namespace: system
+spec:
+  # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize
+  # replacements in the config/default/kustomization.yaml file.
+  dnsNames:
+  - SERVICE_NAME.SERVICE_NAMESPACE.svc
+  - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: webhook-server-cert

config/certmanager/issuer.yaml

@@ -0,0 +1,13 @@
+# The following manifest contains a self-signed issuer CR.
+# More information can be found at https://docs.cert-manager.io
+# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes.
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  labels:
+    app.kubernetes.io/name: ceph-csi-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: selfsigned-issuer
+  namespace: system
+spec:
+  selfSigned: {}